Thanks Paul. Filed DRILL-7351 for this.
It's worth noting that hosting a web app (such as the Drill web UI) does
not prevent CSRF attacks as a malicious web site can still attempt to call
into private/non-public websites (eg. from Javascript in the browser), it
may not get access to the reply but even then can trigger a mutation (eg. a
POST request) on the private web app.
Best regards,
Dondi
On Fri, Aug 16, 2019 at 11:58 AM Paul Rogers
wrote:
> Hi Don,
>
> The one saving grace is that no one should ever host the Drill web UI on a
> public-facing web site. The UI provides lots of admin operations that one
> would not really want to expose openly.
>
>
> A much better solution would be to wrap Drill in a custom-made web app
> that controls what someone can do; the same way that a DB is exposed via a
> custom app, not by a public-facing PhpMyAdmin...
>
> Still, this should be fixed. Please file a JIRA with your findings.
>
> Thanks,
> - Paul
>
>
>
> On Thursday, August 15, 2019, 8:33:19 PM PDT, Don Perial <
> perial...@gmail.com> wrote:
>
> It seems that there is no way to protect the WebUI from CSRF and the fact
> that the value for the access-control-allow-origin header is '*' appears to
> confound this issue as well. I have searched the documentation and also did
> quite a bit of Googling but have not seen any references to this. Is this
> known and/or intended behavior?
> The attached file should demonstrate the (elementary) attack.
>
> Thanks In advance,
> P
>
